In today’s cybersecurity news…
React Native Metro bug impacts thousands of servers
Researchers at JFrog found that threat actors are exploiting a flaw in Metro, the native JavaScript bundler for React Native projects. By default, Metro can expose development-only HTTP endpoints for local use to external network interfaces. On Windows, the bug allows for executing arbitrary OS commands through POST requests, while on macOS and Linux, it can allow for limited parameter control on arbitrary executables. JFrog disclosed the vulnerability in November and observed exploitation beginning on December 21st. There are currently about 3,500 exposed React Native Metro servers online.
Greece and Spain set to ban social media for kids
A senior government source told Reuters that the Greek government is “very close’ to announcing a social media ban for those under 15 in the country. Spain’s Prime Minister Pedro Sánchez said the country plans to ban social media for those under 16 and to create a law holding social media executives personally responsible for hate speech on their platforms. Sanchez also mentioned that Spain would join five other European countries in a “Coalition of the Digitally Willing” to coordinate on cross-border regulation of a social media ban. France and Britain are both considering similar age-gate regulations, and Australia passed a ban back in December.
(Reuters)
Moltbook shows the dangers of vibe coding
Moltbook, a Reddit-like forum designed for use by AI agents, was vibe coded into existence by Matt Schlicht just a few days ago. It quickly saw a bunch of agents join up, boasting over a million members. But security researchers from Wiz and 404 Media found that the platform had a misconfigured Supabase database that allowed for read and write access to its entire production database. This leaked data on account holders, authentication tokens, private messages between agents, and allowed for deleting or editing any and all site content. It also showed that about 17,000 human owners were behind the swarm of bots, and had no mechanism to verify if a user was an agent or human.
CISA is silently updating vulnerability notices
CISA’s Known Exploited Vulnerability catalog has become an industry mainstay for patching and for providing guidance on patching timelines for government agencies. However, GreyNoise researcher Glenn Thorpe noted that the agency is not giving notice when it changes its “known ransomware use” indicator from “unknown” to “known.” He argues this represents “a material change in your risk posture” that changes organizational priorities. In an analysis, Thorpe identified 59 flipped vulnerabilities affecting Microsoft, Ivanti, Fortinet, and Zimbra. Of these, 39% confirmed to be used in ransomware campaigns in 2025 were added before 2023.
Huge thanks to our sponsor, Strike48
UK investigates potential cyber sanctions breaches
The UK’s Cyber Sanctions Regulations 2020 prohibit ransomware victims from making extortion payments to a list of banned entities and individuals without obtaining a license from the Office of Financial Sanctions Implementation. According to records obtained by Recorded Future News, the UK launched its first investigation into a suspected breach of these sanctions. The investigation is examining five potential sanctions breaches involving firms in the financial services sector. It’s not clear if these violations were self-reported or if any funds actually changed hands.
Wrongfully jailed pentesters receive settlement
Early in the morning of September 11, 2019, pentesters Gary De Mercurio and Justin Wynn tested alarm systems at a Dallas County, Iowa, courthouse as part of a contracted security test. It received clearances from the state and city police for the test. After triggering the alarms, they eventually received a police response and presented their state contract without issue. However, when the county sheriff arrived, he arrested them for breaking into county property. This sparked a protracted legal battle in which state officials allegedly backtracked on prior approvals for the work. While charges were eventually dropped, a judge recently awarded them a $600,000 settlement from the county in a civil suit arising from the false arrest, abuse of process, defamation, and other damages.
Iron Mountain downplays recent breach impact
Earlier this month, the threat group Everest claimed on its leak site that it had stolen 1.4 terabytes of “internal company documents,” including client information, from the data and records management giant Iron Mountain. The company told Bleeping Computer that this attack used compromised credentials to access a single folder on a server that contain marketing materials. It maintains that Everest didn’t deploy any ransomware or impact any other systems. Everest has been active since 2020, serving as an initial access broker and conducting data-theft extortion operations.
TLS 1.0 put out to pasture
If you woke up feeling like your cloud storage is a little more secure, it’s not just you. Microsoft officially stopped supporting TLS 1.0 and 1.1 for Azure Storage services. Both were deprecated in 2021 but remained available for compatibility. Microsoft tried to cut off these ancient security protocols before, initially scheduled for November 2024, before pushing it back to November 2025. Admins and legacy app developers had until February 3, 2026, to migrate to a more modern version.